Re: Prevent users running executables from pen drives
From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 09/23/04
- Next message: sancho: "How to check if a machine is owned by a hacker?"
- Previous message: edongskiu: "dialup networking security/encryption feature"
- In reply to: Steven L Umbach: "Re: Prevent users running executables from pen drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Sep 2004 11:25:51 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Umbach wrote:
| The fact that they are power users will not be a problem with SRP. I
think you will
| find using it will be very productive. See the link below for a great
paper on
| implementing SRP. One gotcha I came access is that shortcuts are
restricted also with
| SRP as are a lot of other files. So if you create an allowed path rule
to a folder
| and the application does not run, make sure that the shortcut has a
rule to allow it
| to run. I suggest that shortcuts be all placed in the all users
profile as a user can
| not write to that folder and remove power users write permissions to
it also. You can
| also exempt local administrators from SRP with the enforcement policy
so that they
| can access the computer like normal. Be sure to set up a test OU to
tweak your
| settings. --- Steve
|
|
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:citr7c$jlp$2@newsfeed.th.ifl.net...
|
| Thanks Steve
|
| We are using XP pro on our 2003 domain so this looks like a winner to
| be, apart from the fact that we do need the users to have either 'power
| user' rights on our XP boxes because of what we might term 'legacy'
| software. But we lock down the desktops so they can't access control
| panel so it might prove to be an effective solution!
|
| Steven L Umbach wrote:
| | The best solution I know of would be to use XP Pro computers and
| Software Restriction
| | Policies. SRP can be configured to allow users to run only authorized
| applications
| | via certificate, hash, or path rules. If a user had a default
| disallowed policy and
| | paths to say only specific program files folder for allowed
| applications, and the
| | associated shortcuts in the all users profiles they would not be able
| to execute a
| | file on a USB drive or copied to their profile folders. If SRP are
| applied under
| | computer configuration they can also apply to local administrators if
| need be by
| | configuring the enforcement rule. XP Pro computers can have their
| Group Policy
| | features applied in a W2K domain. I don't know of a good solution in
| W2K. About the
| | best you can do is to make sure users are not local administrators and
| try modifying
| | the Windows Applications policy settings under user
| configuration/system to populate
| | the allowed only or disallowed list. --- Steve
| |
| |
| | "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| | news:cis296$7as$1@newsfeed.th.ifl.net...
| |
| | Hi
| |
| | I've seen lots of postings from people who want to prevent users writing
| | to their usb pen drives, we want our users to read and right - but not
| | run programs. Does anybody have any solutions for this (being in the
| | educational sector 'free' would be nice)
| |
| | thanks
Thanks for the tip steve, I'll test it out
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBUqSuqmlxlf41jHgRAg5MAKCqSmk5S5ijNQP8p4GlNip072nmVwCfQCS8
fXkjqQoZL1hMDprVq5tN9Vo=
=rDGK
-----END PGP SIGNATURE-----
- Next message: sancho: "How to check if a machine is owned by a hacker?"
- Previous message: edongskiu: "dialup networking security/encryption feature"
- In reply to: Steven L Umbach: "Re: Prevent users running executables from pen drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
